The Texas Data Privacy and Security Act (TDPSA), effective July 1st, 2024, has introduced comprehensive data privacy regulations to protect the personal data of Texas residents.
The TDPSA affects businesses operating in Texas or dealing with the personal data of Texas residents. This blog post will cover everything you need to know about the TDPSA, focusing on its main implications for businesses of all sizes.
The TDPSA was originally enacted on June 18th, 2023, by Senator Giovanni Capriglione as a way to formalize comprehensive data privacy protections for Texas residents and to regulate how businesses collect, process, and secure personal data. With the law, Texas became the 10th state in the U.S. to authorize a comprehensive privacy law that protects resident consumers.
Texas heavily bases its privacy law on existing state regulations, mainly the Virginia Consumer Data Protection Act (VCDPA) and, to a slightly lesser extent, the California Consumer Privacy Act (CCPA).
While the new regulations formally took effect on July 1st, 2024, businesses have a grace period of around 6 months (January 2025) to fully implement and comply with the key provisions outlined in the TDPSA. Each violation may result in a civil penalty of up to $7,500. This may add up quickly if an organization doesn’t take the necessary steps to ensure compliance.
The Texas Data Privacy and Security Act (TDPSA) imposes several key requirements on businesses to ensure the protection of personal data and compliance with privacy standards. Here are some of the main requirements:
Businesses must provide clear and accessible privacy notices that detail the categories of personal data collected, the purposes of data processing, how consumers can exercise their rights, and any data sharing practices with third parties.
Businesses should collect only the personal data necessary for the specified purposes disclosed to consumers and must obtain consent before collecting additional data.
Businesses must adopt reasonable security measures, including technical, administrative, and physical safeguards, to protect personal data from unauthorized access, disclosure, or destruction. In the event of a data breach affecting more than 250 Texans, businesses must notify the Texas Attorney General within 30 days of discovery.
Businesses must obtain explicit consent from consumers before processing sensitive personal data. This includes data revealing racial or ethnic origin, religious beliefs, health conditions, sexual orientation, genetic or biometric data, and personal data of children under 13.
By January 2025, businesses must recognize and honor universal opt-out signals, such as the Global Privacy Control (GPC), allowing consumers to opt out of data processing for targeted advertising and sales.
For more information, please refer to this official post from the website of the State Attorney General.
Businesses serving consumers in Texas must take this legislation seriously, as the fines can add up quickly even after a single incident.
Most importantly, companies will need to take a holistic approach to data management, ensuring that all personal data collected, processed, and stored is done so in compliance with the TDPSA. This includes:
Next, businesses will have to establish strict policies, procedures, and technical measures to ensure compliance with the Texas Privacy Law.
Under the Senate’s privacy bill, data controllers must:
Collaborating with compliance experts may save time, reduce risks, and ensure thorough adherence to the law's requirements.
Some businesses, including some limited liability partnerships (LLP), may be exempt from the TDPSA if they fall into one of the following general exemption categories:
Complying with stringent regulations like TDPSA is not easy. It requires organizational buy-in and the appropriate leadership structures to ensure comprehensive data privacy and security. This is where Defensible’s vCISO (Virtual Chief Information Security Officer) service can make a significant difference.
Our vCISO service provides expert guidance and support to help your organization navigate the complexities of the TDPSA and other data privacy regulations. Here’s how Defensible can assist you:
Our vCISOs are well-versed in the latest regulatory requirements and best practices for data privacy and security. They can help your organization interpret and implement the TDPSA's provisions effectively.
We conduct thorough data protection assessments to identify potential risks and vulnerabilities in your data handling practices. These assessments are critical for complying with the TDPSA’s requirement for regular evaluations of data processing activities.
Defensible assists in developing clear and comprehensive privacy policies that meet TDPSA standards. We ensure your privacy notices are transparent and accessible and provide all necessary disclosures to consumers.
To learn more, contact us now for a free, obligation-free consultation!